Skip to content

Commit b3daa04

Browse files
authored
chore(deps): patch ws and form-data advisories in approuter (#41)
Resolves two open Dependabot alerts: - #193 form-data <4.0.6 CRLF injection (high) -> form-data 4.0.6 - #194 ws <7.5.11 memory-exhaustion DoS (high) -> ws 7.5.11 How: - Lockfile in app/router/ was stale at @sap/approuter 21.5.0 even though PR #37 had already bumped the manifest to ^22.0.1. Regenerated it; npm resolves to @sap/approuter 22.0.3 (latest), which pulls axios 1.16.1 -> form-data 4.0.6. Closes #193. - @sap/approuter 22.0.3 still pins ws: '7.5.10' exactly, so a lockfile-only fix can't reach 7.5.11. Added an npm 'overrides' entry to force ws ^7.5.11. Closes #194. The override is a workaround until SAP bumps the ws pin in a future @sap/approuter release. ws 7.5.11 is a patch over 7.5.10 (same minor line), so the risk of regression is low; the approuter module still loads cleanly with the override applied. Verified: npm audit in app/router/ reports 0 vulnerabilities; node -e "require('@sap/approuter')" loads without errors. Co-authored-by: Thomas Jung <12159356+jung-thomas@users.noreply.github.com>
1 parent d88700a commit b3daa04

2 files changed

Lines changed: 27 additions & 23 deletions

File tree

solution/MyHANAApp/app/router/package-lock.json

Lines changed: 24 additions & 23 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

solution/MyHANAApp/app/router/package.json

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,9 @@
33
"dependencies": {
44
"@sap/approuter": "^22.0.1"
55
},
6+
"overrides": {
7+
"ws": "^7.5.11"
8+
},
69
"engines": {
710
"node": "^24"
811
},

0 commit comments

Comments
 (0)